QoS Policing Configuration Example

in this lesson you will learn how to configure the different types of policing on Cisco IOS routers:

  • Single rate, two-color
  • Single rate, three-color
  • Dual rate, three-color

If you have no idea what the difference is between the different policing types then you should start with my QoS Traffic Policing Explained lesson. Having said that, let’s configure some routers. I’ll use the following topology for this:

R1 R2

We don’t need anything fancy to demonstrate policing. I will use two routers for this, R1 will generate some ICMP traffic and R2 will do the policing.

Let’s start with the first policer…

Single Rate Two-Color Policing

Configuration is done using the MQC (Modular QoS Command-Line Interface). First we need to create a class-map to “classify” our traffic:

R2(config)#class-map ICMP
R2(config-cmap)#match protocol icmp

To keep it simple, I will use NBAR to match on ICMP traffic. Now we can create a policy-map:

R2(config)#policy-map SINGLE-RATE-TWO-COLOR
R2(config-pmap)#class ICMP
R2(config-pmap-c)#police 128000                                           
R2(config-pmap-c-police)#conform-action transmit 
R2(config-pmap-c-police)#exceed-action drop

The policy-map is called “SINGLE-RATE-TWO-COLOR” and we configure policing for 128000 bps (128 Kbps) under the class-map. When the traffic rate is below 128 Kbps the conform-action is to transmit the packet, when it exceeds 128 Kbps we will drop the packet.

Above I first configured the police CIR rate and then I configured the “actions” in the “policer configuration”. You can also configure everything on one single line, then it will look like this:

R2(config-pmap-c)#police 128000 conform-action transmit exceed-action drop

Both options achieve the same so it doesn’t matter which one you use. For readability reasons I selected the first option.

Let’s activate the policer on the interface and we’ll see if it works:

R2(config)#interface FastEthernet 0/0
R2(config-if)#service-policy input SINGLE-RATE-TWO-COLOR

You need to use the service-policy command to activate the policer on the interface.

Time to generate some traffic on R1:

R1#ping 192.168.12.2 repeat 999999           
Type escape sequence to abort.
Sending 999999, 100-byte ICMP Echos to 192.168.12.2, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!

You can already see some of the packets don’t make it to their destination. Let’s see what R2 thinks about all these pings:

R2#show policy-map interface FastEthernet 0/0
 FastEthernet0/0 

  Service-policy input: SINGLE-RATE-TWO-COLOR

    Class-map: ICMP (match-all)
      1603 packets, 314382 bytes
      5 minute offered rate 18000 bps, drop rate 0 bps
      Match: protocol icmp
      police:
          cir 128000 bps, bc 4000 bytes
        conformed 1499 packets, 199686 bytes; actions:
          transmit 
        exceeded 104 packets, 114696 bytes; actions:
          drop 
        conformed 10000 bps, exceed 0 bps

    Class-map: class-default (match-any)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any 

Above you can see that the policer is doing it’s job. The configured CIR rate is 128000 bps (128 Kbps) and the bc is set to 4000 bytes. If you don’t configure the bc yourself then Cisco IOS will automatically select a value based on the CIR rate. You can see that most of the packets were transmitted (conformed) while some of them got dropped (exceeded).

If you understand the theory about policing then the configuration and verification isn’t too bad right? Let’s move on to the next policer…

Single Rate Three-Color Policing

If you understood the previous configuration then this one will be easy. I’ll use the same class-map:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You’ve Ever Spent on Your Cisco Career!
  • Full Access to our 740 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

556 Sign Ups in the last 30 days

satisfaction-guaranteed
100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags:


Forum Replies

  1. It is a good post. In your example, pir is cir + Be, right ? what is pir meaning ? why do you choose pir as 256000 ?

  2. Rene,
    Great article. I can see you applied policy-map on R2 in the inbound direction.
    What if we need to ping from R2 to R1 how can we then apply a policy map?
    Do we need another policy-map with the same configs?

    Hamood

  3. Hi Hamood,

    Policing can be applied in- or outbound. I applied it inbound on R2 so that we can police whatever we receive from R1. You could also apply it outbound on R2, this would police any traffic from traffic (behind R2) headed towards R1.

    You can use the same policy-map in- and outbound.

    Rene

  4. Rene, great article, thanks for sharing your knowledge.

    In the ISP world, if I have 25mb download and 1mb upload contract rate, will they be policing my traffic inbound on their premise? What about when I run a speed test, the results are coming from my gateway doing any policing or from the isp side?

    Thanks,

    Jose

49 more replies! Ask a question or join the discussion by visiting our Community Forum